The Control
Test the overall strength of an organization’s defenses (the technology, the process and the people) by simulating the objectives and actions of an attacker.

A Twist: The Attack is the Solution
We now move into our final step of the Top 20 CIS Critical Security Controls. Throughout the series, we demonstrated how attack scenarios can be leveraged to take advantage of the lack of, or misconfigured, controls. A penetration test is the next logical step after you have implemented these controls to ensure that the controls have been implemented correctly.

A penetration test comes in many forms depending on the organizational need, company hired and end goal. I have broken these into four main types of tests performed regularly; however, there may be other tests offered to meet different goals. Either way, it is strongly recommended that you don’t just go out and buy a penetration test but that you define these goals and identify which test works best for your needs.

Compliance-Driven Penetration Testing (PCI/HIPPA/SOX) – The most motivating reason to perform a penetration test may not be a decision at all but rather a requirement by a compliance organization. PCI DSS clearly states that card holder data environment network penetration testing must occur annually as well as every time there is a major change to the network or application which serves the card holder data environment. When performing this type of test, assessors will follow a strict adherence to best practices surrounding the requirement. With PCI this may mean those requirements presented in the Information Supplement: Guidance for PCI DSS Scoping and Network Segmentation and latest releases of PCI-DSS documentation. Often, assessors will have a relationship with a PCI QSA which can assist in ensuring that all avenues of testing are comprehensive. A common failure seen is that organizations will buy the cheapest penetration test they can and use it as their PCI penetration test. While this may work if the organization is taking other steps such as performing segmentation testing, it may not be as exhaustive as their QSA or ISA would prefer.

Comprehensive Penetration Testing – This type of test focuses on bridging the gap between a vulnerability management program and a penetration test. It is generally the first level of non-compliance testing that is recommended for an organization. It allows an organization to get a holistic view of their networks and vulnerabilities, giving them the opportunity to match it up with their vulnerability management program to identify gaps in their current vulnerability detection methods. Often, it will be found that organizations aren’t sure about the entirety of their internal network IP ranging or will have misconfigured scanners which are not reporting on vulnerabilities correctly. To throw another wrench in there, not all scanners find the same things, so what one organization sees for a missing patch may be different than what an assessor is able to identify. Comprehensive testing is followed up with exploitation and post exploitation to demonstrate the risk of critical vulnerabilities identified. This risk is presented to help prioritize the remediation of critical vulnerabilities within the organization’s information technology and security hierarchy, often showing scenarios where more staffing hours or money may be required.

Targeted Penetration Testing – A targeted penetration test, on the other hand, is a scenario where a specific goal is in mind by the organization. Most commonly confused with a targeted compliance driven test, it focuses on the breach of a target system or specific information through the compromise of intermediary pivot systems. The information being targeted is completely up to the organization ordering the penetration test; however, it commonly includes: company secrets and trade information, payroll information such as direct deposit accounts and W2s, financial information such as ACH transfers and/or credit card data. Often an initial compromise of a domain administrator account will occur, allowing an attacker to move throughout the network as a legitimate user searching for the specified target.

Red Team Penetration Testing – The Holy Grail. If your organization ever gets to the point where you are ready to take the plunge into the deepest of penetration testing, then the Red Team assessment is for you. Red Team assessments are generally a “no holds barred” type assessment where an organization hires a team of experienced testers to breach the organization without any information being provided and without any assistance from the organization. This is a true black box test only designed for companies who have shown a strong security model and have resisted compromise in most other penetration testing activities. With these tests, assessors will only give the organization a broad period of time in which the assessment may occur and only limited company personnel should be in the “know.” This creates the most realistic scenario for your system defenses to be tested as well as your system operators. Red Team assessments are generally completed as stealthily as possible, targeting specific individuals with social engineering to gain a foot hold into the organization. With this, often assessors will scope out network as well as physical security controls and attempt to circumvent them by gaining access to sensitive network data or the physical location. Onsite, more social engineering may be leveraged to access buildings and implant devices onto the network. Multiple attack paths are considered, but the quietest and most impactful scenarios are demonstrated.

While all of this can sound scary to an organization just getting starting with penetration testing, going with a reputable group of proven professionals can help to avoid most pitfalls that can occur. This testing, when performed in combination with your security and technology staff, can have a greater impact as knowledge transfer both ways can really add an extra level of effectiveness to the penetration test. Assessors benefit from this conversation by knowing key areas to check into and staff benefit by learning how risky some innocuous vulnerability may be. Not all penetration tests leverage high and critical vulnerabilities, some don’t even use a vulnerability scanner. It’s important to know what your organization needs (is it compliance driven?) and wants (collaborative understanding) when selecting a company and type of penetration test.

Joshua Platz is a senior consultant in Optiv’s advisory services practice on the attack and penetration team. Joshua’s role is to provide internal and external network penetration testing to determine vulnerabilities and weaknesses in client networks and environments. He specializes in PCI DSS, wireless, social engineering, password cracking, as well as post-exploitation of customer networks.